Researchers at Armis Labs have uncovered ten severe vulnerabilities in Copeland’s E2 and E3 industrial controllers, widely deployed by the world’s largest retail chains and cold storage providers. These devices manage refrigeration systems, HVAC, lighting, and other mission-critical infrastructure across thousands of supermarkets and logistics centers. The flaws, collectively named Frostbyte10, include three rated as critical under the CVSS scale.
According to Armis, several of these vulnerabilities enable unauthenticated remote code execution with root privileges, posing a direct threat to global food and pharmaceutical supply chains. Attackers could manipulate temperature controls, spoil perishable goods or medications, and inflict devastating financial damage.
Copeland has released firmware update 2.31F01 for E3 controllers, addressing all ten vulnerabilities. The E2 series, however, reached end-of-support in October, and users are strongly advised to migrate to E3. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is also expected to issue an advisory urging immediate updates to affected systems.
During their investigation, Armis researchers discovered the flaws by analyzing traffic from Copeland devices deployed at a major retail client. The first issue surfaced inadvertently after a crash caused by malformed data. In total, ten distinct weaknesses were documented.
These included: cross-site scripting (XSS) via a predictable administrator password, authentication flaws where only a password hash was needed, API misconfigurations enabling remote crashes or arbitrary file reads, and the ability to enumerate all users and password hashes. Other findings revealed the absence of firmware signature validation—allowing malicious updates—hidden remote access services such as SSH and Shellinabox, and even predictable Linux root passwords generated at every boot. The legacy E2 line contained an additional flaw permitting unauthenticated file operations due to the lack of encryption in its communication protocol.
Of particular concern was the presence of a built-in administrator account with a daily password generated through a predictable algorithm, effectively granting adversaries administrative access. Combined with the predictable root password and hidden APIs enabling remote access, attackers could achieve full device compromise and arbitrary code execution.
Armis warns that both state-sponsored actors and ransomware groups are increasingly targeting critical infrastructure tied to logistics, cooling, and power. Such devices are especially lucrative for extortion: every hour of downtime can translate into multimillion-dollar losses.
Copeland acknowledged that the ONEDAY user account with a recurring password was originally introduced at customer request for simplified remote access. The vendor has since removed this capability and is transitioning to stronger authentication policies. A company spokesperson emphasized that while no exploitation has yet been observed, the fixes were implemented proactively.
Experts strongly urge all Copeland E2 and E3 users to update their firmware without delay, stressing that several vulnerabilities enable complete device takeover and disruption of entire systems. Although no active attacks have been recorded, the potential consequences would be catastrophic—not only for individual businesses but for entire supply chains.
